The broadcast encryption involves encrypting a message M by a subscriber (broadcaster) based on a subscriber set S to obtain a cipher text C and broadcasting the cipher text C through a common channel, wherein the set S is a subset which may be arbitrarily selected from all the subscribers by the broadcaster, and those subscribers in the set S are capable of decrypting the cipher text C to obtain the message M. The broadcast encryption may be applied in applications such as access control to an encrypted file system, subscription service for television, DVD content protection, conditional access for digital video broadcasting DVB and the like.
Various broadcast encryption schemes have been proposed. For example, two broadcast encryption schemes: BW1 scheme and BW2 scheme have been proposed in D. Boneh et al., “Collusion resistant broadcast encryption with short ciphertexts and private keys,” CRYPTO, pages 258-275, 2005. For the BW1 scheme, its private key is of size O(1), and its public key is of size O(n); for the BW2 scheme, it private key is of size O(√{square root over (n)}), and its public key is of size O(√{square root over (n)}). An identity based broadcast encryption scheme has been proposed in C. Delerablee,” identity-based broadcast encryption with constant size ciphertexts and private keys,” ASIACRYPT, pages 200-215, 2007, wherein the cipher text and private key are of fixed size, and the public key size is a linear function of maximum size, allowed by the system, of the set S for authorized receiving subscribers. The drawback of the Delerablee's scheme lies in that it can be proved secure only in the random oracle model. Moreover, in the above two schemes, because the public key is involved in the decryption process, the corresponding public key has to be transmitted along with the broadcasted cipher text. Therefore, the cipher text size can be in direct proportion to the number of all the subscribers, or can be in direct proportion to the maximum size of set S of authorized receiving subscribers allowed by the system. Three broadcast encryption schemes having public keys of fixed size have been proposed in Liu and Tzeng, “Public key broadcast encryption with low number of keys and constant decryption time,” Public Key Cryptography, pages 380-396, 2008. The first scheme has a cipher text size of O(r) and a private key size of O(log n); the second scheme has a cipher text size of O(r) and a private key size of O(log2 n); the third scheme has a cipher text size of O(r/ε) and a private key size of O(log1+ε n), wherein r is the number of subscribers whose decryption privilege has been revoked. Liu and Tzeng's schemes have the same drawback in that they can be proved secure only in the random oracle model, and have a transmission bandwidth in direct proportion to r. This means that their schemes are not applicable if the number of subscriber whose decryption privileges have been revoked increases to some extent.